Review: XAMPP--An Apache Server Stack - page 3

The Need

June 8, 2005

By
Sean Michael Kerner

The default LAMPP configuration is insecure and needs some tweaking which can easily be done. There is actually a simple command that will help you to correct the most obvious insecurities. XAMPP's developers (ApacheFriends) evidently feel that XAMMP isn't for production environments so that part of the reason why they haven't implemented the security by default.

Type

/opt/lampp/lampp security

The security fix will allow you to protect your XAMPP installation with a password, restrict MySQL network access and set a root password for MySQL, change the default FTP password and add a password for phpMyAdmin. The security status of your XAMPP installation can easily be determined by clicking on the security tab (see Figure 2) on the XAMPP dashboard which is the default server start page (until you change it).

Beyond what the security script provides, unless you've got a good reason to have FTP on the server I'd recommend disabling it. Far too many users still send FTP passwords "in the clear" (unencrypted) and FTP hacking is an exceptionally easy attack vector.

To disable FTP type

/opt/lampp/lampp stopftp

Also one of the most common hacker "tricks" is to use a search engine to look for server components that have a known vulnerability. Lets say apache version x has vulnerability y--that vulnerability has likely been widely published--so all a hacker needs to do is find apache version x to execute the exploit. If you tell the world what you're running you make it easier for them to exploit you. There is something to be said for security in anonymity.

XAMPP does not provide a direct script to modify Apache's httpd.conf to make the change so you'll have to dig into the file directly yourself. The change is made in the ServerToken section of httpd.conf. XAMPP by default has it set at "Full" which send all the version information about Apache and the various compiled modules. Change the entry to "Prod" which offer the least level of detail and will only reveal that Apache (not the version is running).

So instead of having your server report-"Apache/2.0.53 (Unix) mod_ssl/2.0.53 OpenSSL/0.9.7d PHP/5.0.4 DAV/2 mod_perl/1.999.21 Perl/v5.8.6 Server at hostname/ Port "--which is a veritable buffet for a hacker you simply get "Apache Server at hostname/ Port" which makes target enumeration significantly more difficult.